AUTHENTICATION OF DATA COMMUNICATIONS

US 20090265776A1
Filed: 04/17/2009
Published: 10/22/2009
Est. Priority Date: 04/18/2008
Status: Active Grant

First Claim

Patent Images

1. An apparatus for authenticating communication between a user computer and a server via a data communications network, the apparatus comprising:

a security device having;

a memory containing security data; and

a security logic configured to use the security data to generate an authentication response to an authentication message received from the server in use;

an interface device configured for data communication with the security device, the interface device having;

a receiver configured to receive from the user computer an authentication output containing the authentication message sent by the server to the user computer in use; and

an interface logic configured to extract the authentication message from the authentication output and to send the authentication message to the security device; and

a communications interface configured to connect to the server via a communications channel bypassing the user computer, wherein one of the security device and interface device is configured to send the authentication response to the server via the communications channel.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus are provided for authenticating communications between a user computer and a server via a data communications network. A security device has memory containing security data, and security logic to use the security data to generate an authentication response to an authentication message received from the server in use. An interface device communicates with the security device. The interface device has a receiver for receiving from the user computer an authentication output containing the authentication message sent by the server to the user computer in use, and interface logic adapted to extract the authentication message from the authentication output and to send the authentication message to the security device. Includes a communications interface for connecting to the server via a communications channel bypassing the user computer. Either the security device or interface device sends the authentication response to the server via the communications channel bypassing the user computer.

Citations

25 Claims

1. An apparatus for authenticating communication between a user computer and a server via a data communications network, the apparatus comprising:
- a security device having;
  
  a memory containing security data; and
  
  a security logic configured to use the security data to generate an authentication response to an authentication message received from the server in use;
  
  an interface device configured for data communication with the security device, the interface device having;
  
  a receiver configured to receive from the user computer an authentication output containing the authentication message sent by the server to the user computer in use; and
  
  an interface logic configured to extract the authentication message from the authentication output and to send the authentication message to the security device; and
  
  a communications interface configured to connect to the server via a communications channel bypassing the user computer, wherein one of the security device and interface device is configured to send the authentication response to the server via the communications channel.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The apparatus according to claim 1, wherein at least one of the security logic and the interface logic is configured to send the authentication response to the server via the communications channel.
  - 3. The apparatus according to claim 1, wherein the interface logic is configured to receive the authentication response from the security device.
  - 4. The apparatus according to claim 1, wherein the receiver comprises:
    - an image sensor configured to receive an authentication output image, the image sensor encoding the authentication message displayed by the user computer.
  - 5. The apparatus according to claim 1, wherein the receiver comprises:
    - a microphone configured to receive an auditory authentication output, the microphone configured to encode the authentication message generated by the user computer.
  - 6. The apparatus according to claim 1, wherein the receiver comprises:
    - an RF receiver configured to receive an RF authentication output, the RF receiver configured to encode the authentication message transmitted by the user computer.

7. A method for authenticating communication between a user computer and a server via a data communications network, the method comprising:
- sending an authentication message via the data communications network to the user computer;
  
  producing an authentication output containing the authentication message;
  
  receiving the authentication output from the user computer;
  
  extracting the authentication message from the authentication output;
  
  sending the authentication message to the security device;
  
  generating an authentication response to the authentication message using security data stored in the security device; and
  
  sending the authentication response to the server via a communications channel which bypasses the user computer.

8. An intrusion detection method for a data communications system in which a security device having memory containing security data is adapted for data communications with a remote server via an interface device for communicating with the server via a first communications channel and is operative to communicate with the server via at least one further communications channel, the method comprising:
- sending an authentication message from the server to the security device using said first and said at lease one further channels in respective authentication communications;
  
  sending an authentication response generated from the security data by the security device to the server for mutual authentication thereof;
  
  detecting differences between authentication results from said communications using said first and said at lease one further channels; and
  
  identifying potentially compromised components of said data communications system based on said differences.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The method according to claim 8, further comprising:
    - performing said authentication communications using said first and said at lease one further channels in parallel; and
      
      detecting differences between the authentication results from the parallel communications.
  - 10. The method according to claim 8, further comprising:
    - detecting differences between said authentication results from authentication communications performed at different times during a communications session with the server.
  - 11. The method according to claim 8, wherein the step of detecting differences between authentication results is performed at the security device or at the server.
  - 12. The method according to claim 8, wherein the step of detecting differences between authentication results is performed both at the server and the security device.

13. A data communications system, comprising:
- a server;
  
  a first interface device operative to communicating data with the server via a first communications channel of the system;
  
  a security device having memory containing security data operative to communicate with the server via the first interface device and operative to communicate with the server via at least one further communications channel of the system; and
  
  intrusion detection logic;
  
  wherein the server and security device are operative to use said first and said at lease one further channels in authentication communications in which the server sends an authentication message to the security device and the security device sends an authentication response generated using said security data to the server for mutual authentication thereof; and
  
  wherein the intrusion detection logic is operative to detect differences between authentication results from said communications using said first and said at least one further channels and to identify potentially compromised components of the data communications system based on said differences.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system according to claim 13, wherein the first interface device communicates with the security device and a user computer for communicating via said first channel with the server over a data communications network.
  - 15. The system according to claim 13, wherein the security device is operative to communicate with the server via each of the further channels.
  - 16. The system according to claim 13, further comprising:
    - at least one further interface device adapted to communicate with the security device and operative to communicate with the server via said further communications channel.
  - 17. The system according to claim 13, wherein the server and security device are adapted to perform said authentication communications using said first and said at least one further channel in parallel, and wherein the intrusion detection logic is adapted to detect differences between the authentication results from the parallel communications.
  - 18. The system according to claim 13, wherein the intrusion detection logic is adapted to detect differences between said authentication results from authentication communications performed at different times during a communications session with the server.

19. An authentication apparatus for authenticating data communications with a remote server, the apparatus comprising:
- a security device having memory containing security data, and a security logic adapted to use the security data in authentication communications with the server to generate an authentication response to an authentication message received from the server;
  
  a first interface device adapted for data communications with the security device and adapted for data communications with the server via a first communications channel;
  
  at least one communications interface for communicating with the server via a second communications channel; and
  
  channel selection logic adapted to select one of said communications channels for authentication communications with the server in dependence on a security indicator associated with a communication from the server on the first communications channel, the channel selection logic being adapted to send said authentication response, generated by the security logic in said authentication communications, to the server via the selected communications channel.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The apparatus as claimed in claim 19, wherein the first interface device is adapted to interface between the security device and a user computer for communicating with the server via said first communications channel, and wherein said communications interface is adapted for communicating with the server via a second communications channel which bypasses the user computer.
  - 21. The apparatus as claimed in claim 19, wherein the security device includes said channel selection logic.
  - 22. The apparatus as claimed in claim 19, including a plurality of communications interfaces for communicating with the server via a second communications channel.
  - 23. The apparatus as claimed in claim 19, wherein the first interface device includes a said communications interface for communicating with the server via a second communications channel.
  - 24. The apparatus as claimed in claim 19, wherein the security device includes said communications interface for communicating with the server via a second communications channel.

25. A method for authenticating data communications with a remote server performed by a security device which has memory containing security data, the security device adapted for data communications with an interface device for communicating with the server via a first communications channel, and which is operative to communicate with the server via a second communications channel, the method comprising:
- selecting one of said first and second communications channels for authentication communications with the server in dependence on a security indicator associated with a communication from the server on the first communications channel;
  
  in response to an authentication message received from the server, using said security data to generate an authentication response; and
  
  sending the authentication response to the server via the selected communications channel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Visegrady, Tamas, Buhler, Peter, Kramp, Thorsten, Eirich, Thomas, Osborne, Michael Charles, Kuyper-Hammond, Michael Peter, Baentsch, Michael

Granted Patent

US 8,990,912 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/9
CPC Class Codes

G06F 21/34   involving the use of extern...

H04L 63/08   for authentication of entit...

H04L 63/0853   using an additional device,...

H04L 63/18   using different networks or...

H04W 12/068   using credential vaults, e....

H04W 8/245   from a network towards a te...

H04W 88/02   Terminal devices

AUTHENTICATION OF DATA COMMUNICATIONS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

AUTHENTICATION OF DATA COMMUNICATIONS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links